The path to becoming a cloud security expert
Graham Thompson · Wednesday, May 5th, 2021
This is a follow-up to our article The path to becoming a cybersecurity expert. If you’re just beginning your cybersecurity career, you’ll want to start there.
Assuming that you have been in the cybersecurity field for sometime now and want to pivot to cloud, the path below will make you an incredibly well-rounded cloud security professional.
As before, I’m not going to try to dictate what learning method works best for you.
All of the certifications I’m going to cover have self-study and authorized training options.
CCSK certification
This is the first step and I say this for multiple reasons.
First, the Certificate of Cloud Security Knowledge (CCSK) is a very well regarded cloud security certification.
Secondly, it is the foundation for the Certified Cloud Security Professional (CCSP) exam.
So you get knowledge that counts towards the two biggest cloud security certifications on the market today.
The CCSK certification is all about what the differences are between traditional and cloud security. This is why I say you can’t bypass the cybersecurity path and jump right into cloud security.
Learning options
There are three options at your disposal:
First, there’s a couple of documents that are available on the Cloud Security Alliance (CSA) website.
These are the CSA Guidance v4 and ENISA documents. These are part of the CSA Exam Prep Kit. It has all the information you need, free of charge.
Secondly, there’s the McGraw-Hill CCSK All-In-One Exam Guide written by Graham Thompson (yup, that’s me!).
Since you know I’m the author, I could say it’s a great way to prepare for the exam but I’d be biased.
Check out the Amazon reviews. I have never asked a single person to write a positive review – ever. You’ll see many people that have said it is much easier to understand the material using this book than it is to read through the guidance documentation.
Then, you have the official CCSK Training, which is, with few exceptions, the only course I teach here at Intrinsec Security.
The training is a 2 day course consisting of lectures and demonstrations (CCSK Foundation) or a 3 day course consisting of lectures, demonstrations and hands-on labs (CCSK Plus).
The cost of the CCSK exam is $395 USD and includes two attempts.
My All-in-One Exam Guide book includes a 10% discount.
Both of the training options (2-day foundation and 3-day plus) includes the exam free of charge.
Just like the standard exam registrations, it is also good for two attempts.
Preparedness matters, though, because it’s a tough exam.
That’s why I created videos and a battery of test questions for students, some of which are available publicly on our Resources section. Additional material such as instant access to on-demand training, exam prep videos and over 200 pre-test questions are free for all Intrinsec CCSK students.
CCSP certification
The Certified Cloud Security Professional (CCSP) was created through a partnership between the CSA and (ISC)².
I hope I don’t get myself into trouble by sharing a little bit about the CCSP creation process but it’s important information.
When these two parties made their partnership, there were individuals associated with the CSA selected to be subject matter experts for the creation of the various domains of the CCSP.
I was honored to be selected as one of them.
We all worked on our own domains. The (ISC)² came up with the topics that were required as part of the new Common Body of Knowledge (CBK).
We Subject Matter Experts (SMEs) then wrote the content, which then got handed off to their editors and the certification exam was then created.
The above is to clearly show why I say studying for the CCSK is a direct path to CCSP certification as well. Mind you, it’s not an exact mapping.
There is more content in the CCSP than there is in the CCSK.
I have written on this before and it’s still relevant today. You can find the differences between the two certifications in the article I wrote about it. It’s a two part discussion, in sequence.
You have 2 learning options for the CCSP.
There’s Daniel Carter’s CCSP All-In-One Exam Guide and there’s a 5-day training course that we proudly offer at Intrinsec Security as a Preferred (ISC)² Training Provider.
Well, actually, there’s a third option in our CCSK & CCSP Bootcamp course.
Be warned though, this CCSK & CCSP bootcamp course is a challenge!
We take the 3-day CCSK Plus course so you get the lectures and hands-on labs and add an accelerated 2-day CCSP course.
We know people can only handle so much in a week, so we include the official on-demand training for both CCSK and CCSP.
Although the 2-day CCSP session covers everything in the 5-day course, we focus on the content differences between the two certifications.
The CCSP exam costs $599 USD.
Unlike the CCSK which is an open-book exam that can be taken from your home at any time you wish, the CCSP exam is a closed-book exam that must be done at a testing center.
I have seen some employers say they trust the CCSP certification for their people more because it is a closed book with much less possibility of cheating.
Other employers don’t really care which cloud security certification someone has, as long as it’s either the CCSK or CCSP.
These courses form the agnostic view of cloud security that is absolutely critical to have as a cloud security professional.
When you take vendor training, you don’t know what industry best practices are.
You have blinders on when it comes down to what the vendor’s solution is, not what it should be according to best practice (cough Microsoft Azure cough).
Both the CCSK and CCSP certifications demonstrate that you have knowledge of the:
- Who – Which party is responsible for securing different aspects of cloud
- What – What changes are there in cloud compared to a traditional infrastructure
- Where – What controls can be deployed in the cloud, what controls should be with a 3rd party or in the datacenter.
- When – What priorities are there that need to be addressed before others when using cloud
- Why – Why cloud security can be very different than a traditional deployment.
The one thing missing is the How.
This is where vendor-specific tactical training comes in.
See, the CCSK and the CCSP don’t address how you implement controls in different environments.
The labs in the CCSK do use Amazon Web Services (AWS) as the cloud service, but those labs truly are to drive home the concepts from the course material.
The CCSP has no hands-on activities at all.
One thing, and please, I beg of you, don’t think you’re going to be an AWS master because you took the CCSK Plus course.
Yes, you’ll have a small exposure to AWS, but if you have been working hands on keyboard with AWS for a while, you’ll probably find the labs “basic”.
By basic, I mean establishing Identity Access Management (IAM) and Multi-factor Authentication (MFA), logging, setting up encryption keys, establishing real-time notifications and other core concepts that trace back to the material.
No course can be everything to everyone. If you want deep dive AWS knowledge and focus on the “how to’s” you’re going to need vendor-specific training.
Vendor-specific training and certification
Now that you understand the 5 W’s from your CCSK and/or CCSP certification, it’s time to move to the How’s of cloud security.
The following vendor offerings are useful to hands-on tactical positions with particular cloud service providers:
Amazon Web Services (AWS)
First off, we have AWS certification.
I would say there are at least two, possibly three certifications to address validation of your knowledge of how to secure AWS:.
- AWS Certified Solutions Architect (Associate)
- AWS Certified Security – Specialty
- AWS Certified Solutions Architect (Professional)
As far as training options go, AWS has incredible documentation available.
Additionally, as a “how” type of course, I really believe your best learning method is experience with the offerings covered in the exam preparation guides.
The exams range from $150 USD (Associate architect exam) to $300 USD (Professional architect and security specialty certifications).
All AWS exams must be written at a test center.
Microsoft Azure
Next, we have Microsoft Azure certifications.
Same deal as with the AWS just above. Architecture training and then a security specialty.
Depending on your Azure experience, you may want to take the Azure foundations first before proceeding to the others.
Select a certification for specific details:
- Azure Fundamentals
- Azure Solutions Architect Expert (requires two exams)
- Azure Security Engineer
As for cost, the Microsoft Azure exams are $165 USD each except the fundamentals exam which costs $99 USD.
Google Cloud
Google Cloud training is interesting and there are two certifications to consider, depending on your own goals as well:
They have teamed up with Coursera for training.
As far as the exam costs go, the engineer certification exam is $125 USD, while the security engineer exam is $200 USD.
Unless you are already employed in a company that is using Google Cloud, I’d probably look to AWS or Azure first.
This statement is purely based on market share and current adoption trends. I’m not saying Google is bad, because they aren’t.
But even Google Cloud Executives would admit they are trying to catch up to Amazon AWS and Microsoft Azure.
Please don’t send me hate mail over this statement!
Let’s get started!
That’s it! Now you have what you need to begin your patch towards becoming a cloud security expert.
If you need any assistance in making some decisions about any of the options noted, including our cloud security certification courses, get in touch with us and one of our experts will be happy to assist you.
